Okay but I'm not proposing a change in CPS-error revocation policy. I am proposing a change in the way CPS docs are generated. I'd like them all to move to github and be pulled directly from the CA systems, turning them into a technical document instead something human created (and mostly filled with - IMO - less useful information). For example, does anyone read Section 9? What good is that? I have no concerns with revoking for CPS errors but I think the current way CPS docs are done is error prone and too human-dependant.
On Wed, Jun 18, 2025 at 7:07 PM Mike Shaver <[email protected]> wrote: > Thanks for this–I genuinely appreciate the effort–but I think it's not > quite the right analysis. > > For evaluating the impact of a change to CPS-error revocation policy, we > want to consider the set of some CPS-related misissuances that were *not* > also BR issues. (And separately were not so serious that they would still > require revocation after such a loosening, but I don't exactly know where > that line is proposed to be drawn.) > > A little birdie tells me that analysis of such incidents over the last > three years will reveal a total under 50,000 for the number of certificates > that have been revoked due to a CPS-breaking-but-not-BR-breaking > misissuance. (Prior to Microsoft's misissuance, of course, but that > wouldn't have been an issue if it had happened after Microsoft completed > the CRL sharding deployment because of very wide adoption of automation by > Microsoft's subscriber base [also Microsoft, fair enough].) > > I have not seen and certainly not performed the analysis in question, but > I'm willing to trust it nonetheless. > > Mike > > On Mon, Jun 16, 2025 at 8:00 PM Jeremy Rowley <[email protected]> wrote: > >> Good question. I went through the last year of bugs and found the ones >> listed below. Determining what is a CPS violation vs. a BR violation is >> difficult because so many BR violations are also a CPS violation (as a lot >> of CPS documents mirror the BRs). I split it up between profile errors (at >> the bottom) and CPS related issues (at the top), both of which would be >> solved by automated CPS generation and a shift to treat the CPS document as >> a technical disclosure instead of a contract. >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=1970567 - Failed to list >> the full revocation reasons in its CPS >> https://bugzilla.mozilla.org/show_bug.cgi?id=1969842 - This is about >> T&Cs but since the T&Cs generally incorporate the CPS I thought I'd count >> it? >> https://bugzilla.mozilla.org/show_bug.cgi?id=1969036 - violates the CPS >> and the BRs >> https://bugzilla.mozilla.org/show_bug.cgi?id=1965808 - Conflicting info >> in the CPS >> https://bugzilla.mozilla.org/show_bug.cgi?id=1965806 - Missing OID on >> T&Cs (which would incorporate the CPS) >> https://bugzilla.mozilla.org/show_bug.cgi?id=1965804 - CPS clarity issues >> https://bugzilla.mozilla.org/show_bug.cgi?id=1963778 - CPS unavailability >> https://bugzilla.mozilla.org/show_bug.cgi?id=1963629 - CPR in CPS not >> working >> https://bugzilla.mozilla.org/show_bug.cgi?id=1962829 - policy document >> mis-paste >> https://bugzilla.mozilla.org/show_bug.cgi?id=1962830 - Cert change not >> compliant with CPS >> https://bugzilla.mozilla.org/show_bug.cgi?id=1955365 - Reused keys in >> violation of CPS >> https://bugzilla.mozilla.org/show_bug.cgi?id=1954580 - OCSP not >> published in time. This violated the BRs but would also violate the CPS if >> such items were actually dictated by the CPS instead of just the BRs. >> https://bugzilla.mozilla.org/show_bug.cgi?id=1948600 - outdated CPS >> https://bugzilla.mozilla.org/show_bug.cgi?id=1942241 - CPR in CPS not >> accepting attachments >> https://bugzilla.mozilla.org/show_bug.cgi?id=1938236 - CAA issue >> https://bugzilla.mozilla.org/show_bug.cgi?id=1939809 - This violated the >> ETSI requirement but not the BRs I think? Which would make it a CPS >> violation. >> https://bugzilla.mozilla.org/show_bug.cgi?id=1935393 - Failed to update >> CPS docs (note that the proposal would help remediate this by requiring >> automatic updates to CPS docs as things change). >> https://bugzilla.mozilla.org/show_bug.cgi?id=1933353 - violation of CPS >> on OCSP responses >> https://bugzilla.mozilla.org/show_bug.cgi?id=1932973 - violation of CAA >> checking >> https://bugzilla.mozilla.org/show_bug.cgi?id=1931413 - violation of >> onboarding SOP >> https://bugzilla.mozilla.org/show_bug.cgi?id=1925106 - incorrect CP >> provided >> https://bugzilla.mozilla.org/show_bug.cgi?id=1921573 - CPS issue on DN >> https://bugzilla.mozilla.org/show_bug.cgi?id=1918380 - Business entity >> not permitted in CPS >> https://bugzilla.mozilla.org/show_bug.cgi?id=1914911 - CAA disclosure >> issue >> https://bugzilla.mozilla.org/show_bug.cgi?id=1904749 - CAA record issue >> https://bugzilla.mozilla.org/show_bug.cgi?id=1904257 - Incorrect CPR >> address >> >> >> I'm listing the profiles issues as well as the proposal would address >> this issue, or at least make these issues more readily identifiable. If CAs >> are required to provide the profile directly from the CA, the profile can >> easily be compared to the BRs and issues identified. Right now the profile >> may not match the CPS so the CPS will be compliant but the profile will not >> match the requirements. >> Profiles mismatch: >> https://bugzilla.mozilla.org/show_bug.cgi?id=1965459 - AIA not correct >> https://bugzilla.mozilla.org/show_bug.cgi?id=1963663 - Multiple cert >> policies >> https://bugzilla.mozilla.org/show_bug.cgi?id=1963456 - HTTPS in AIA >> https://bugzilla.mozilla.org/show_bug.cgi?id=1952591 - SCT issue in certs >> https://bugzilla.mozilla.org/show_bug.cgi?id=1946921 - DV cert format >> issue >> https://bugzilla.mozilla.org/show_bug.cgi?id=1936908 - Incorrect encoding >> https://bugzilla.mozilla.org/show_bug.cgi?id=1922906 - :LDAP URI issue >> https://bugzilla.mozilla.org/show_bug.cgi?id=1921598 - Cert Policies >> extension issue >> https://bugzilla.mozilla.org/show_bug.cgi?id=1921254 - Duplicate >> attribute >> https://bugzilla.mozilla.org/show_bug.cgi?id=1919162 - incorrect profile >> https://bugzilla.mozilla.org/show_bug.cgi?id=1916489 - LDAP in CRLDP >> https://bugzilla.mozilla.org/show_bug.cgi?id=1916392 - 2 Localities >> listed >> >> >> On Sun, Jun 15, 2025 at 7:36 AM Mike Shaver <[email protected]> >> wrote: >> >>> On Sun, Jun 15, 2025 at 12:13 AM Jeremy Rowley <[email protected]> >>> wrote: >>> >>>> Given the number of bugs related to CPS errors, >>>> >>> >>> Perhaps you’re in a position to answer this question: how many bugs >>> *have* there been in the last few years related to CPS errors, and how many >>> certs have been subject to revocation for that reason, pre-Microsoft? >>> >>> Mike >>> >>> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAFK%3DoS-Ys5ewtm_QP2y57f6qHsQqmCqKy9eYn8JNQrQDYryzjA%40mail.gmail.com.
